diff options
| author | Amaury Denoyelle <adenoyelle@haproxy.com> | 2020-11-13 16:05:00 +0100 |
|---|---|---|
| committer | William Lallemand <wlallemand@haproxy.org> | 2020-11-18 16:10:42 +0100 |
| commit | 034c162b9bb0ef5bb56103f97a48cb8f6ce68cae (patch) | |
| tree | ed3d9f5c693e833684c0ba8a1747047b53060953 | |
| parent | f70b7db825da294d2df7ae025582c66b8a7c86c6 (diff) | |
| download | haproxy-034c162b9bb0ef5bb56103f97a48cb8f6ce68cae.tar.gz | |
MEDIUM: stats: add counters for failed handshake
Report on ssl stats the total number of handshakes terminated in a
failure.
| -rw-r--r-- | src/ssl_sock.c | 61 |
1 files changed, 36 insertions, 25 deletions
diff --git a/src/ssl_sock.c b/src/ssl_sock.c index c4cda0562..a18ce6389 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -143,28 +143,33 @@ DECLARE_STATIC_POOL(ssl_sock_ctx_pool, "ssl_sock_ctx_pool", sizeof(struct ssl_so enum { SSL_ST_SESS, SSL_ST_REUSED_SESS, + SSL_ST_FAILED_HANDSHAKE, SSL_ST_STATS_COUNT /* must be the last member of the enum */ }; static struct name_desc ssl_stats[] = { - [SSL_ST_SESS] = { .name = "ssl_sess", - .desc = "Total number of ssl sessions established" }, - [SSL_ST_REUSED_SESS] = { .name = "ssl_reused_sess", - .desc = "Total number of ssl sessions reused" }, + [SSL_ST_SESS] = { .name = "ssl_sess", + .desc = "Total number of ssl sessions established" }, + [SSL_ST_REUSED_SESS] = { .name = "ssl_reused_sess", + .desc = "Total number of ssl sessions reused" }, + [SSL_ST_FAILED_HANDSHAKE] = { .name = "ssl_failed_handshake", + .desc = "Total number of failed handshake" }, }; static struct ssl_counters { long long sess; long long reused_sess; + long long failed_handshake; } ssl_counters; static void ssl_fill_stats(void *data, struct field *stats) { struct ssl_counters *counters = data; - stats[SSL_ST_SESS] = mkf_u64(FN_COUNTER, counters->sess); - stats[SSL_ST_REUSED_SESS] = mkf_u64(FN_COUNTER, counters->reused_sess); + stats[SSL_ST_SESS] = mkf_u64(FN_COUNTER, counters->sess); + stats[SSL_ST_REUSED_SESS] = mkf_u64(FN_COUNTER, counters->reused_sess); + stats[SSL_ST_FAILED_HANDSHAKE] = mkf_u64(FN_COUNTER, counters->failed_handshake); } static struct stats_module ssl_stats_module = { @@ -5126,6 +5131,26 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (!conn_ctrl_ready(conn)) return 0; + /* get counters */ + switch (obj_type(conn->target)) { + case OBJ_TYPE_LISTENER: + li = objt_listener(conn->target); + counters = EXTRA_COUNTERS_GET(li->extra_counters, &ssl_stats_module); + counters_px = EXTRA_COUNTERS_GET(li->bind_conf->frontend->extra_counters_fe, + &ssl_stats_module); + break; + + case OBJ_TYPE_SERVER: + srv = objt_server(conn->target); + counters = EXTRA_COUNTERS_GET(srv->extra_counters, &ssl_stats_module); + counters_px = EXTRA_COUNTERS_GET(srv->proxy->extra_counters_be, + &ssl_stats_module); + break; + + default: + break; + } + if (!conn->xprt_ctx) goto out_error; @@ -5363,25 +5388,6 @@ reneg_ok: if (global_ssl.async) SSL_clear_mode(ctx->ssl, SSL_MODE_ASYNC); #endif - switch (obj_type(conn->target)) { - case OBJ_TYPE_LISTENER: - li = objt_listener(conn->target); - counters = EXTRA_COUNTERS_GET(li->extra_counters, &ssl_stats_module); - counters_px = EXTRA_COUNTERS_GET(li->bind_conf->frontend->extra_counters_fe, - &ssl_stats_module); - break; - - case OBJ_TYPE_SERVER: - srv = objt_server(conn->target); - counters = EXTRA_COUNTERS_GET(srv->extra_counters, &ssl_stats_module); - counters_px = EXTRA_COUNTERS_GET(srv->proxy->extra_counters_be, - &ssl_stats_module); - break; - - default: - break; - } - /* Handshake succeeded */ if (!SSL_session_reused(ctx->ssl)) { if (objt_server(conn->target)) { @@ -5420,6 +5426,11 @@ reneg_ok: __objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr = NULL; } + if (counters) { + ++counters->failed_handshake; + ++counters_px->failed_handshake; + } + /* Fail on all other handshake errors */ conn->flags |= CO_FL_ERROR; if (!conn->err_code) |